Disabling Print Screen through Group Policy
Recently someone asked if it was possible to disable the print screen functionality on their keyboard through Group Policy. My initial response was that I had never seen a policy setting to do this, and indeed I figured that you would need to do some low level trapping of keyboard commands to make this work. That is, until I discovered the Keyboard Scancode Map. The Scancode Map is a way of assigning (and unassigning) functionality to the Windows keyboard. Its a somewhat cryptic system that you can manipulate using registry modifications. In this case, disabling the PrintScreen keyboard combinations (or any other keyboard mappings for that matter) turns out to be relatively easy using a REG_BINARY value in the registry. But, how to apply this using Group Policy? Well, GP Preferences comes to the rescue again! The GPP Registry Extension has no problem handling REG_BINARY data types. So, we can build a GP Preference under Computer Configuration|Preferences|Windows Settings|Registry to handle this. The value that needs to be put in place actually follows a very logical pattern, even though it looks pretty random. The value is as follows:
So what does all these 0′s with the occasional alphanumeric mean? The data is in hexadecimal format. Meaning that each pair of numbers represents a byte of data. The first 8 bytes worth of 00 are essentially the header block. The next 4 bytes (04,00,00,00) delineate how many instructions there will be–in this case 4 (the last two pairs of zeros are the terminator, so the actual number of values is represented by 04,00). Each “value” that contains the scan codes that enable or disable a particular key mapping are stored as 4 byte values in “little endian” format. This document describes the format in more detail.
And where does this value go? Into the registry under HKLMSystemCurrentControlSetControlKeyboard Layout
We create a new REG_BINARY value under this key called Scancode Map and then add the value above to that key. But if we’re using the GPP Registry extension it would look like this:
Note that once this policy is deployed, you will need to reboot the systems that its targeting in order for the scancode to take effect. Also note that the value above will disable PrtScreen, Ctrl-PrtScreen and Alt-PrtScreen combinations.
With this approach is that you can enable or disable multiple keys within a single Scancode Map value. In addition, you can simply remove the Scancode Map value either via policy or directly from the registry, reboot and your keys are back to normal.
The thing to note is that it doesn’t give you 100% coverage against applications copying their data to the clipboard. An application can take responsibility for copying its data to the clipboard, rather than relying on Print Screen, and there’s not much you can do about that. But, in a pinch, this approach beats the heck out of having to get some kind of low-level keyboard code to block out certain keys.